정형기법을활용한 AUTOSAR SWC 의구현확인및정적분석 Develop high quality embedded software 이영준 Principal Application Engineer 2015 The MathWorks, Inc. 1
Agendas Unit-proving of AUTOSAR Component and Runtime error Secure Coding Standard and Polyspace MISRA-C:2012 Amendment 1 ISO 17961 CERT-C/C++ CWE 2
Unit-Proving of AUTOSAR Component And Runtime Error 3
What is AUTOSAR? The Automotive industry and its challenges Specifications OEMs objectives: Integration from different suppliers Need confidence in the supplier s code Supplier s challenge: Time-to-market Code size Pressure from OEMs Set up the supply chain OEMs (manufacturers) HMC BMW ARXML files Tier-1 (suppliers) Hyundai Bosch AUTOSAR solves by providing a software architecture and common specifications (ARXML files) Implementations Components providers (general and need to be calibrated to a specific vehicle) Need for validation of AUTOSAR components among actors 4
How Polyspace for AUTOSAR can help? Specifications 3 4 1) check for run-time errors and mismatch in the ARXML specifications 2) Check if implementation follow specifications OEMs ARXML files Tier-1 3) assess impact of changes in the specifications 2 1 4) check implementation against specifications updates Implementations ARXML files are used to communicate, Polyspace for AUTOSAR is used to prove robustness and compliance 5
Polyspace for AUTOSAR features Automatic split by component swca.c swca.h swcb.c Sound analysis Sound analysis plus checks to prove that the code matches the specification Back to specifications New view to detail the AUTOSAR specification ARXML Implementation (source files) polyspace-autosar SW-C1 SW-C2 SW-C3 Polyspace Automatic launching on each component Prove specs matching 6
Polyspace for AUTOSAR workflow Specifications ARXML files Implementation Simulink model Split the code in components as defined in ARXML Polyspace for AUTOSAR SW-C1 SW-C2 SW-C3 Perform a separate unit analysis of each component with Polyspace Free of run-time errors Checks that code of runnable respects its output specification Checks that code of runnable calls Rte functions in respect of their specification swca.c swca.h swcb.c 7
Polyspace and AUTOSAR ARXML AUTOSAR architecture ARXML provides specification of Application Layer and link with RTE Polyspace verifies the match between code and ARXML Application Layer Polyspace verifies the Application Layer RTE Polyspace stubs the RTE Layer RTE Layer not verified by Polyspace for AUTOSAR Polyspace can verify RTE Services Layer ECU Abstraction Layer Basic Software Microcontroller Abstraction Layer Complex Device Drivers Not verified by Polyspace for AUTOSAR Polyspace may verify these ECU Hardware 8
Unit verification of an AUTOSAR software component ARXML Runnable Runnable Runnable Calls the runnables as defined in specification ARXML provides specification of runnables: - Context of call - Output ARXML provides specification of Rte functions Component = set of runnable functions C code Runnable Rte functions Service / ECU Layers Verifies each runnable in isolation Checks that code of runnable respects its output specification Checks that code of runnable calls Rte functions in respect of their specification 9
Unit verification of an AUTOSAR software component Simulink model. Calls the runnables as defined in specification ARXML provides specification of runnables: - Context of call - Output. ARXML ARXML provides specification of Rte functions C code Runnable Rte functions Service / ECU Layers Checks that code of runnable respects its output specification Checks that code of runnable calls Rte functions in respect of their specification 10
Hand-Written Code based on ARXML Polyspace for AUTOSAR SWC 11
Generated Code From Simulink Model based on ARXML Polyspace for AUTOSAR SWC 12
Workflow Benefits Provide automatically the best configuration for Polyspace Detect inconsistencies between AUTOSAR specifications and code implementation Unit verification of AUTOSAR software components with Polyspace Sound analysis: proves that code respects the specification Static analysis: considers all potential cases 13
Secure Coding and Polyspace 14
Safety vs. Security Safety System issue Environment Security Environment attack System Note: Security issues may cause safety issues SAE J3061 15
Cybersecurity Industry Activities & Standards SAE Vehicle Cybersecurity Systems Engineering Committee SAE J3061 - Cybersecurity Guidebook for Cyber-Physical Vehicle Systems SAE J3101 - Requirements for Hardware-Protected Security for Ground Vehicle Applications (WIP) SAE Cybersecurity Assurance Testing Task Force (TEVEES18A1) Coding standards & practices that we observe at automotive customers - MISRA-C:2012 Amendment 1 - ISO/IEC TS 17961 C Secure Coding Rules - CERT-C / CERT-C++ - CWE Common Weakness Enumeration 16
ISO/IEC TS 17961 Compared with Other Standards Coding Standard C Standard Security Standard Safety Standard International Standard CWE None/all Yes No No N/A MISRA C:2004 C89 No Yes No No MISRA C:2012 C99 No Yes No No CERT C99 C99 Yes No No Yes CERT C11 C11 Yes Yes No Yes ISO/IEC TS 17961 C11 Yes No Yes Yes Whole Language Table is based on the book: 17
SEI CERT C Coding Standard This coding standard consists of rules and recommendations, collectively referred to as guidelines. Rules are meant to provide normative requirements for code, whereas Recommendations are meant to provide guidance that, when followed, should improve the safety, reliability, and security of software systems. 18
CERT-C Coverage with Polyspace You can map Polyspace results to CERT C rules and recommendations Using Polyspace results, you can address 103 CERT C rules (90%) and 95 CERT-C recommendations (50%) The CERT C website, under continuous development, lists 118 rules and 188 recommendations (Count based on The CERT C++ Coding Standard document, 2016 Edition) 19
CERT-C++ coverage with Polyspace You can map Polyspace results to CERT C++ rules Using the Polyspace results, you can address 34 CERT C++ rules (40%) and 79 CERT C rules that also apply to C++ (99%) The CERT C++ website, under continuous development, lists 163 rules including 80 CERT C rules that also apply to C++ (based on count in April 2018 in CERT-C++ web site) Two new arguments for option checkers in C++ mode (-lang CPP): CERT-rules (only CERT-C++ rules) and CERT-all (it includes also CERT-C rules that apply) 20
Completeness And Soundness From ISO 17961 False Negatives Failure to report a real flaw in the code is usually regarded as the most serious analysis error, as it may leave the user with a false sense of security. False Positives The tool reports a flaw when one does not exist. Polyspace Code Prover Polyspace Bug Finder 21
ISO/IEC TS 17961 C secure coding rules 22
ISO 17961 - C Secure Coding Rules The purpose of this Technical Specification is to specify analyzable secure coding rules that can be automatically enforced to detect security flaws in C-conforming applications. To be considered a security flaw, a software bug must be triggerable by the actions of a malicious user or attacker. 23
ISO 17961 - C Secure Coding Rules 24
Polyspace Bug Finder And Security Standard Well-know defects for unreliable code like buffer overflows, dead code Plus two categories: Security and Tainted data Security Standards CERT-C ISO-17961 (Full) MISRA-C 2012 (Full) CWE The mapping table between Polyspace Bug Finder and Security Standard MATLAB_INSTALL\polyspace\resources\Polyspace Results R2018b.xlsx 25
How does Polyspace help you with embedded software security? Detecting security vulnerabilities and underlying defects early Provides Exhaustive Documentation and recommendation for security fix Proving absence of certain critical vulnerabilities Complying with industry standards MISRA-C, CWE, CERT C, ISO 17961 26
Q & A 27